[5.2.x] Added CVE-2026-3902, CVE-2026-4277, CVE-2026-4292, CVE-2026-33033, and CVE-2026-33034 to security archive.

jacobtylerwalls · jacobtylerwalls · commit da57aaad76e6 · 2026-04-07T08:52:02.000-04:00
Backport of 3330dc2 from main.
diff --git a/docs/releases/security.txt b/docs/releases/security.txt
@@ -36,6 +36,63 @@ Issues under Django's security process
 All security issues have been handled under versions of Django's security
 process. These are listed below.
 
+April 7, 2026 - :cve:`2026-3902`
+--------------------------------
+
+ASGI header spoofing via underscore/hyphen conflation.
+`Full description
+<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <a623c3982857e80324448f85c7faf9a6710330ef>`
+* Django 5.2 :commit:`(patch) <1cc2a7612f97c109b92415fc11ba9bd0501852e0>`
+* Django 4.2 :commit:`(patch) <4412731aa64d62a6dd7edae79e0c15b72666d7ca>`
+
+April 7, 2026 - :cve:`2026-4277`
+--------------------------------
+
+Privilege abuse in ``GenericInlineModelAdmin``.
+`Full description
+<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <08a752c1cd8f378b4c64d96c319da23726df6ed3>`
+* Django 5.2 :commit:`(patch) <60ffa957c427e10a2eb0fc80d1674a8a8ccc30b0>`
+* Django 4.2 :commit:`(patch) <051f3909e820360bbe84a21350e82f4961e3d917>`
+
+April 7, 2026 - :cve:`2026-4292`
+--------------------------------
+
+Privilege abuse in ``ModelAdmin.list_editable``.
+`Full description
+<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <428c48f358c5a0ed5ca2834fb721d615eb2b0e11>`
+* Django 5.2 :commit:`(patch) <397c22048244db2cd4bb78f570e6c72a3967bf36>`
+* Django 4.2 :commit:`(patch) <abfe1a1c57a57cfaf6dd4a0571c029401a0fe743>`
+
+April 7, 2026 - :cve:`2026-33033`
+---------------------------------
+
+Potential denial-of-service vulnerability in ``MultiPartParser`` via
+base64-encoded file upload.
+`Full description
+<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <0910af60468216c856dfbcac1177372c225deb76>`
+* Django 5.2 :commit:`(patch) <0b467893bdde69a2d23034338e76021a1e4f4322>`
+* Django 4.2 :commit:`(patch) <f13c20f81b56108ac477213fa5ada2524b5e5c98>`
+
+April 7, 2026 - :cve:`2026-33034`
+---------------------------------
+
+Potential denial-of-service vulnerability in ASGI requests via memory upload
+limit bypass.
+`Full description
+<https://www.djangoproject.com/weblog/2026/apr/07/security-releases/>`__
+
+* Django 6.0 :commit:`(patch) <393dbc53e848876fdba92fbf02e10ee6a6eace6b>`
+* Django 5.2 :commit:`(patch) <49e1e2b548999a35a025f9682598946bda9e9921>`
+* Django 4.2 :commit:`(patch) <ed4dfda62718a0bb644b80ac8b1d3099861f2295>`
+
 March 3, 2026 - :cve:`2026-25673`
 ---------------------------------
 
